[nycbug-talk] fave BSD tips/tricks?

[Andy Kosela]

Miles Nordin <carton at ivy.net> wrote:

> I said something like ``kernel code, setuid binaries, and listening
> daemons matter because they are exposed to attackers.  For ordinary
> userspace programs, programs you don't run are no less secure than
> programs that aren't installed, because the attacker can just upload
> whatever code he needs.  Not installing a compiler inconveniences you
> more than the attacker, and `inconvenience the attacker' should not be
> the goal of your security anyway.''  There's no whiteboard involved in
> the ``threat modeling'' I did, but pointing out ``these classes of
> threats are equivalent'' sounds like a model to me.

I generally agree with Miles here, but still think that X11 on the
production server (say DNS or mail) is not really necessary and it saves
you from some bloat.  For me the UNIX toolkit is strictly CLI tools -- 
X11 is only good for a desktop machine anyway.

--Andy